The goal of this assignment is to find some (deliberate) security
holes in a short program I wrote. (It's quite possible there are
more than I intended -- you get extra credit if you find a new one,
so long as your attack techniques only target this program and not,
say, my account, the network, etc....)
The program in question is /homes/ACMClass/acm50/file-hmac; it
exists on compute01-compute08. You'll have to do your work on one
of those machines.
file-hmac computes an HMAC (more or less; see RFC 2104) on a file
or set of files. It's up to you to figure out how to invoke it.
Roughly speaking, HMAC involves a secret key K and a hash function.
You calculate the HMAC of message M as H(K, H(K, M)). This program
effectively does
cat secretfile input | sha1sum | cat secretfile - | sha1sum
The goal of this assignment is to figure out what the secret is.
The actual attack program is likely to be quite small; the real
effort here is in finding the holes. As such, you need to turn in
a written document explaining your analysis, including the output
of any commands you ran.
*This is not a paper-writing exercise*. If you found it useful to
run
snark --boojum
say so, and mention signficant output lines from the program.
Don't bother to explain what snark or its --boojum option do; assume
that I either know or can find out. An annotated session from
"script", though not quite what I want, is much closer to what I'm
looking for than a technical paper is. Again -- concentrate on
the techniques; don't spend your time writing or (worse yet)
formatting. (If you really want to write a paper, sign up for
my Privacy and Anonymity course -- E6184, assuming it's approved --
where you'll have to write two papers, or do an independent study
course.)
There are at least three (maybe four, depending on how you count)
holes in the program -- impressive, in a source file that's less
than 100 lines long. You only need to find one hole. You get
(quite modest) extra credit if you can explain how one of the holes
is a consequence of protective measures I did take. (Yes, I know
I'm being vague.)
I do not think you can damage /homes/ACMClass/acm50/file-hmac;
regardless, it's against the rules to try. If you think you've
done so accidentally, notify me *immediately*.
You do not need to know assembler to launch any of the attacks; that
means that there are no buffer overflows.